I've found it undoable. I've got encrypted passwords and 10.3 seem determined to not let me use them. I've written a script that takes a 10.2 password dump, "nidump passwd . > rawpwfile", and converts it into an import file for the workgroup manager. The script also adds what's needed to turn on Apple's Mail since sendmail has been replaced by postfix. This sort of works. It was no problem with a few users but up past about 100 things become difficult.
You can only import about 100 at a time, and after a few hundred, this takes hours. It took me a week of roung the clock loading to move 500 users. There is a command line script to load these files but I can only get it to load one at a time.
Once loaded, the only way to maintain password info is through netinfo. Using the command line passwd or workgroup manager will result in your encrypted passwords be converted to something else, somewhere else, that you can't find.
The worst part is that lookupd becomes dysfunctional, any attempt on the part of the OS to translate between a UID and username, such as during login or with an ls -l, will send the CPU to the roof and freeze the machine for serveral minutes.
These problesm arise from needing to use the encrypted passwords. If you don't need them or changing all your user's passwords is manually is feasible then simply exporting from 10.2 and importing into 10.3 ( a few at a time) is simple and avoids the problems mentioned above.